Need Help Configuring Shibboleth for Remote Auth

Cantor, Scott cantor.2 at
Fri Dec 11 12:48:56 EST 2015

On 12/11/15, 12:17 PM, "users on behalf of Cris Bettis" <users-bounces at on behalf of cris.bettis at> wrote:

>I'd like to configure Shibboleth to hand over control to this server, allow a user to log in and accept information back that allows it to continue the SAML conversation it started with another SP.
>Currently, it is looking like RemoteUser Authentication is the way to go here. 

Not unless you have already integrated that authentication process with a web server. You can't just redirect over and back. That's SSO, that's a totally different kind of approach.

RemoteUser is container-mediated login to the IdP. Until you build authentication into your container, you aren't ready to even talk about using it with the IdP.

>Commented out all non RemoteUser methods in the general-auth.xml file.

That is not needed.

>I've updated this line in  ```conf/authn/remoteuser-authn-config.xml``` with my server's url

Absolutely 100% no. That has to point to the servlet used by the IdP to pick up the REMOTE_USER or header value you're setting through some other mechanism. It CANNOT point to a different server, that wouldn't make any sense.

>The SP negotiates with Shibboleth correctly. And indeed Shibboleth will forward to this server.  However, I cannot seem to pass back adequate credentials in a way Shibboleth understands.

This isn't about the IdP, this is about what it means to use a container-managed authentication process. You can't do that through the IdP. By definition it already must exist. All the IdP does is supply a flexible servlet to pick up the identify from a number of possible sources that you must already be populating outside the IdP.

-- Scott

More information about the users mailing list